Main vendor vulnerabilities span authentication and design flaws
The analysis uncovered essential vulnerabilities throughout Verify Level, Zscaler and Netskope that fell into three main classes: authentication bypasses, credential storage failures and cross-tenant exploitation.
Authentication bypass vulnerabilities
Zscaler’s SAML implementation contained essentially the most extreme authentication flaw. The researchers found that the signature on the SAML assertion was solely checked for presence, and it wasn’t validated in opposition to the identification supplier’s public key. This allowed full bypass of identification supplier authentication by forging SAML responses with invalid signatures.
Netskope suffered from an identical however extra basic bypass. The enrollment API required no authentication, permitting attackers to register gadgets utilizing solely leaked group keys and legitimate electronic mail addresses.
Verify Level’s vulnerability centered on hard-coded encryption keys embedded in consumer binaries. These keys protected diagnostic log uploads containing JSON Internet Tokens (JWTs) that lived for 30 days creating a possible compromise situation for any buyer who had uploaded logs to help.
Credential storage and token administration flaws
All three distributors applied weak credential storage mechanisms. Zscaler saved Machine Token Authentication credentials in Home windows registry in clear textual content, permitting native attackers to extract tokens and impersonate any consumer by modifying registry values. Netskope’s “Safe Enrollment” tokens used DPAPI encryption with inadequate safety.
Vendor response and remediation
Vendor responses different considerably in velocity and effectiveness. In line with the researchers, Zscaler responded most quickly, initially patching their SAML vulnerability (CVE-2025-54982) inside 4 hours. Nevertheless, the repair launched compatibility points requiring a rollback earlier than a everlasting answer was applied.
